CVE-2025-48989

Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone1::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone10::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone11::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone12::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone13::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone14::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone15::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone16::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone17::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone18::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone19::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone2::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone20::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone21::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone22::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone23::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone24::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone25::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone26::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone27::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone3::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone4::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone5::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone6::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone7::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone8::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone9::::::

History

18 Aug 2025, 18:34

Type	Values Removed	Values Added
References	~~() https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf -~~	() https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf - Mailing List, Vendor Advisory
First Time		Apache Apache tomcat
CPE		cpe:2.3:a:apache:tomcat:9.0.0:milestone24:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone15:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone12:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone14:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone19:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone22:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone1:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone9:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone11:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone4:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone26:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone21:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone8:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone16:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone25:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone6:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone27:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone7:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone20:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone18:::::: cpe:2.3:a:apache:tomcat:::::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone23:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone17:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone13:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone5:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone2:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone10:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone3::::::

13 Aug 2025, 20:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

13 Aug 2025, 17:33

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de apagado o liberación incorrecta de recursos en Apache Tomcat lo hizo vulnerable al ataque "Maked You Reset". Este problema afecta a Apache Tomcat desde la versión 11.0.0-M1 hasta la 11.0.9, desde la 10.1.0-M1 hasta la 10.1.43 y desde la 9.0.0.M1 hasta la 9.0.107. Las versiones anteriores al final de su vida útil también pueden verse afectadas. Se recomienda actualizar a una de las versiones 11.0.10, 10.1.44 o 9.0.108, que solucionan el problema.

13 Aug 2025, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-13 13:15

Updated : 2025-08-18 18:34

NVD link : CVE-2025-48989

Mitre link : CVE-2025-48989

CVE.ORG link : CVE-2025-48989

JSON object : View

Products Affected

apache

tomcat

CWE

CWE-404

Improper Resource Shutdown or Release

7.5 /10